Characterizing and defending against divide-conquer-scanning worms

Computer Networks 54 (2010) 3210–3222

Contents lists available at ScienceDirect

Computer Networks

journal homepage: www.elsevier .com/locate /comnet

Characterizing and defending against divide-conquer-scanning worms q

Chao Chen a,*, Zesheng Chen a, Yubin Li b,1

a Department of Engineering, Indiana University – Purdue University Fort Wayne, Fort Wayne, IN 46805, United Statesb Department of Software and Information System, University of North Carolina at Charlotte, Charlotte, NC 28223, United States

a r t i c l e i n f o a b s t r a c t

Article history:Received 17 October 2009Received in revised form 20 April 2010Accepted 14 June 2010Available online 22 June 2010Responsible Editor: W. Wang

Keywords:SecurityWorm attacksDivide-conquer scanningModelingSimulationsDefense

1389-1286/$ - see front matter � 2010 Elsevier B.Vdoi:10.1016/j.comnet.2010.06.010

q Part of this work has been presented at IEEEmance Computing and Communications Conferenc2008 [4].

* Corresponding author. Tel.: +1 260481 6359.E-mail addresses: [email protected] (C. Chen),

(Z. Chen), [email protected] (Y. Li).1 Yubin Li was with the Department of Elect

Engineering at Florida International University wperformed.

Internet worms are a significant security threat. Divide-conquer scanning is a simple yeteffective technique that can potentially be exploited for future Internet epidemics. There-fore, it is imperative that defenders understand the characteristics of divide-conquer-scan-ning worms and study the effective countermeasures. In this work, we first examine thedivide-conquer-scanning worm and its potential to spread faster and stealthier than a tra-ditional random-scanning worm. We then characterize the relationship between the prop-agation speed of divide-conquer-scanning worms and the distribution of vulnerable hoststhrough mathematical analysis and simulations. Specifically, we find that if vulnerablehosts follow a non-uniform distribution such as the Witty-worm victim distribution,divide-conquer scanning can spread a worm much faster than random scanning. We alsoempirically study the effect of important parameters on the spread of divide-conquer-scan-ning worms and a worm variant that can potentially enhance the infection ability at thelate stage of worm propagation. Furthermore, to counteract such attacks, we discuss theweaknesses of divide-conquer scanning and study two defense mechanisms: infected-hostremoval and active honeynets. We find that although the infected-host removal strategycan greatly reduce the number of final infected hosts, active honeynets (especially uni-formly distributed active honeynets) are more practical and effective to defend againstdivide-conquer-scanning worms.

� 2010 Elsevier B.V. All rights reserved.

1. Introduction

Internet worms self-propagate across the Internet bycompromising vulnerable hosts and using them to attackother victims. Such malicious attacks have caused enor-mous damage and pose a significant security threat. Forexample, the Witty-worm infected at least 12,000 hostsin 45 min in 2004 [17], and the Storm worm affected tens

. All rights reserved.

International Perfor-e (IPCCC), December

[email protected]

rical and Computerhen this work was

of millions of hosts in 2007 [13]. Therefore, worms havebeen a significant threat to the Internet. Moreover, in2003 the top four grand research challenges in informationsecurity and assurance have been identified, includingeliminating epidemic-style attacks (such as viruses,worms, and email spam) within 10 years, developing toolsand principles that allow the construction of large-scalesystems for important societal applications, developingquantitative information-systems risk management, andgiving end-users security controls they can understandand privacy they can control for the dynamic, pervasivecomputing environments of the future [29]. It can be seenthat Internet worms are on this list and are targeted forelimination by 2014.

To protect the Internet from worm attacks, we have tostudy the attacking methods that have been used by exist-ing worms or will potentially be used by future worms. A

http://dx.doi.org/10.1016/j.comnet.2010.06.010

mailto:[email protected]



http://dx.doi.org/10.1016/j.comnet.2010.06.010

http://www.sciencedirect.com/science/journal/13891286

http://www.elsevier.com/locate/comnet

C. Chen et al. / Computer Networks 54 (2010) 3210–3222 3211

key factor for an efficient worm attack is how a worm findsa target, which is called the scanning method. Althoughmost real world worms use the simple random-scanningmethod [5], many advanced worm-scanning strategieshave been studied, including localized scanning [3], hitlistscanning [19], permutation scanning [19], routable scan-ning [22,27], importance scanning [6], and divide-conquerscanning [4]. Different scanning methods have been de-signed for different purposes. We find, however, that allscanning strategies have to consider the following threeparameters:

� Scanning rate: the rate at which a worm sends out scansto find targets. A worm may deliver as many scans aspossible, such as the Slammer worm [11]; or dispatchscans slowly to avoid detection, such as the camouflag-ing worm [25].� Scanning probability: the probability that a worm scans

a specific address. A worm may use a uniform scanningmethod that can hit each address with equal probabil-ity, such as random scanning; or use a biased strategythat prefers scanning a certain range of IP addresses,such as importance scanning.� Scanning space: the IP address space among which an

infected-host searches for vulnerable hosts. A wormcan scan an entire IPv4 address space, such as localizedscanning; or probe a routable address space, such asroutable scanning. Moreover, different infected hostsmay scan different address spaces at the same time.

Many studies on worm-scanning methods have focusedon the scanning rate and the scanning probability[25,24,22,26,15,6,7,21]. The methods that explore thescanning space, however, have been little investigated.

Divide-conquer scanning is a simple strategy that ex-ploits the scanning space and makes different infectedhosts probe different scanning spaces. Specifically, an in-fected host A searches for targets in its scanning space.Once A infects a target B, it will divide its scanning spaceinto halves so that A scans one half and B scans the otherhalf. Divide-conquer scanning is named after the ‘‘divide-and-conquer algorithm” that recursively breaks down aproblem into two or more sub-problems until these sub-problems become simple enough to be solved directly[9]. Similar to the divide-and-conquer algorithm, divide-conquer-scanning attempts to partition the task of findingtargets in a large address space into the sub-tasks of locat-ing victims in a small address sub-space.

Although simple, the divide-conquer-scanning exhibitssome prominent characteristics:

� Efficiency: It attempts to avoid the case that differentinfected hosts attack the same target. Hence, the scan-ning is more efficient.� Propagation speed: It can potentially spread a worm

much faster than random scanning. We will show thisanalytically and empirically in the paper.� Stealth: It can propagate an epidemic stealthier than

random scanning and avoid the detection of somedefense systems such as network telescopes fromCAIDA [28]. We will demonstrate this in Section 2.

As a result, divide-conquer scanning can be a powerfulattacking tool in future Internet epidemics.

To the best of our knowledge, only two works havestudied divide-conquer-scanning worms. Specifically, di-vide-conquer scanning was first presented in [22], andwas later modeled mathematically in [26]. Both works as-sume that vulnerable hosts are uniformly distributed andshow that under such a condition, a divide-conquer-scan-ning worm has a similar propagation speed as a random-scanning worm. The real distributions of vulnerable hostsin the Internet, however, have been shown highly uneven[11,12,17,15,2,7,8,21]. Therefore, it is unclear how fast di-vide-conquer-scanning worms can spread in the Internetand how defenders can fight against them.

The goal of this work is to better understand the spread-ing ability and the characteristics of divide-conquer-scan-ning worms, as well as to find effective countermeasuremechanisms. Our research work makes severalcontributions:

� We analytically and empirically demonstrate the effectof the vulnerable-host distribution on the spread ofdivide-conquer-scanning worms. Specifically, if the dis-tribution of vulnerable hosts is not uniform, divide-con-quer scanning can spread a worm faster than randomscanning. This is because divide-conquer scanningcould lead an epidemic to spread towards addresssub-spaces with many vulnerable hosts. On the otherhand, if the distribution of vulnerable hosts is uniform,divide-conquer scanning is slightly slower than randomscanning at the late stage of worm propagation.� We empirically study the effects of important parame-

ters on the propagation of divide-conquer-scanningworms, such as the number of initially infected hosts(i.e., hitlist), the scanning rate, and the degree of divideand conquer. Specifically, while the hitlist has a limitedeffect on the propagation speed of divide-conquer-scanning worms, the scanning rate affects the spreadsignificantly. Moreover, if vulnerable hosts follow thedistribution of Witty-worm victims, partitioning theaddress space beyond /8 subnets has little improvementon the spreading speed of a divide-conquer-scanningworm.� We design a variant of divide-conquer scanning that

can adapt scanning spaces based on the density of unin-fected vulnerable hosts and is called ping-pong divide-conquer scanning. We empirically show that such a var-iant can potentially enhance the infection ability at thelate stage of worm propagation.� We discuss the weaknesses of divide-conquer-scanning

worms and present two potential countermeasures:infected-host removal and active honeynets. Specifi-cally, we point out that removing infected hosts at theearly stage has a significant effect on divide-conquer-scanning worms and using active honeynets (especiallyuniformly distributed active honeynets) to misleaddivide-conquer-scanning worms can greatly slow downthe worm spread. Moreover, since the infected-hostremoval strategy requires the knowledge of infectedhosts at the early stage of worm propagation and itsperformance can be weakened by increasing the size

3212 C. Chen et al. / Computer Networks 54 (2010) 3210–3222

of the hitlist of worms, using uniformly distributedactive honeynets is potentially more practical and pow-erful against future intelligent worms.

The remainder of this paper is structured as follows.Section 2 discuss the importance of studying divide-con-quer scanning. Section 3 provides a mathematical modelon the spread of divide-conquer-scanning worms underthe special cases of vulnerable-hosts distributions. Sec-tion 4 studies divide-conquer scanning through simula-tions. Section 5 discusses potential countermeasures.Finally, Section 6 concludes the paper.

2. Motivations

In this section, we first give the background on divide-conquer scanning. We then discuss why divide-conquerscanning can potentially spread a worm faster and stealth-ier than random scanning.

2.1. Divide-conquer scanning

Most real Internet worms use random scanning (RS) tolocate vulnerable hosts. RS selects target IPv4 addressesuniformly, and each infected host scans an entire IPv4 ad-dress space. Comparatively, divide-conquer scanning (DCS)partitions the IPv4 address space into non-overlappingsub-spaces, and each infected-host scans a different sub-space simultaneously. Specifically, the process of DCS isshown in Fig. 1. Assume that a DCS worm starts the prop-agation from an infected host A, which is searching for tar-gets in the entire IPv4 address space, i.e., 0.0.0.0/0. Notethat at the beginning A behaves identical to RS and ran-domly selects IPv4 addresses to find vulnerable hosts.When A hits a vulnerable host B, A divides the scanningspace into halves so that A scans 0.0.0.0/1 and B scans128.0.0.0/1. More generally, if an infected host X is scan-ning subnet a.b.c.d/k(0 6 k < 32) and then hits a vulnerablehost Y, X divides its scanning space so that X scans one halfa.b.c.d/(k + 1) and Y scans the other half a.b.c.d/k � a.b.c.d/(k + 1). In this way, the large IPv4 address space is dividedinto small address sub-spaces or subnets, which are pro-

A

0.0.0.0/0

A

0.0.0.0/1

A

0.0.0.0/2

B

D

B

C

128.0.0.0/1

128.0.0.0/2

192.0.0.0/2

64.0.0.0/2

Fig. 1. Concept of divide-conquer scanning.

cessed by individual infected hosts. Note that once a scan-ning space is allocated to an infected host, this host willscan this space uniformly until it hits a target.

To bridge RS and DCS, in this work we consider a gener-alized version of DCS, called /l DCS, which works asfollows:

� If an infected host is scanning subnet a.b.c.d/k and k < l,this host follows the original DCS and divides its scan-ning space into halves after it compromises a target.� Otherwise, if k = l, the host will not further divide its

scanning space and will still scan a.b.c.d/l even afterinfecting other hosts. The new victims compromisedby this host will also scan subnet a.b.c.d/l.

As a result, RS can be regarded as a special case of /l DCSwhen l = 0, whereas the original DCS is another special caseof /l DCS when l = 32. Moreover, l reflects the degree of di-vide and conquer; and a higher value of l indicates a higherdegree of divide and conquer. The notations used in thispaper are summarized in Table 1.

2.2. Worm propagation speed

DCS can potentially spread a worm much faster than RS,depending on the distribution of vulnerable hosts. To showthis intuitively, we construct an example and compare DCSwith RS. Specifically, we consider a discrete-time system.Assume that there are totally N vulnerable hosts, andN = 216. The distribution of vulnerable hosts is extremelyuneven so that all vulnerable hosts are contained in one /16 subnet. The worm starts the propagation from an in-fected host, and each infected-host sends out s scans perunit time. We then calculate the propagation time T(n),i.e., the average time for a scanning method to infect n vul-nerable hosts at the early stage.

First, we consider RS. If there are currently i infectedhosts, the probability for a worm scan to hit an uninfectedvulnerable host is N�i

X , where X = 232. Then, the probabilityof recruiting a new victim at the next time step is

pRSðiÞ ¼ s � i � N � iX

: ð1Þ

Here, we ignore the case that two or more worm scanshit the same target simultaneously at the early stage ofworm propagation. Then, the time for i infected hosts tohit a vulnerable host, XRS (i), is a random variable and fol-lows the geometric distribution with parameter pRS(i), i.e.

Table 1Notations used in this paper.

Notations Definition or explanation

l Degree of divide and conquer for DCSX Size of the scanning space (X = 232)N Total number of vulnerable hostss Scanning rate or the number of scans sent by an

infected host per unit timeT(n) Average time for a scanning method to infect n hosts at

the early stage of worm propagationIt Number of infected hosts at time t


PrðXRSðiÞ ¼ kÞ ¼ pRSðiÞð1� pRSðiÞÞk�1; k ¼ 1;2; . . . : ð2Þ

Therefore, the average time for i infected hosts to re-cruit the (i + 1)-th victim is

tRSðiÞ ¼ E XRSðiÞ½ � ¼ 1pRSðiÞ

¼ Xs � i � ðN � iÞ ; ð3Þ

which leads to the calculation of the propagation time ofRS:

TRSðnÞ ¼Xn

i¼1

tRSðiÞ ¼Xn

i¼1

1pRSðiÞ

¼ Xs

Xn

i¼1

1iðN � iÞ : ð4Þ

Next, we study /l DCS and assume that l = 16. The prop-agation of a DCS worm is demonstrated in Fig. 2, where theshaded area indicates the /16 subnet containing all vulner-able hosts. Now we consider two cases:

� Case 1: n 6 16. When there are i vulnerable hosts andi 6 16, only one infected host is scanning the X

2i�1 spacethat contains vulnerable hosts, whereas other infectedhosts cannot recruit any victim. Hence, the probabilityfor these i infected hosts to find a vulnerable host inone time step is

pDCSðiÞ ¼sðN � iÞX=2i�1 : ð5Þ

Therefore, when n 6 16, the propagation time of DCS is

TDCSðnÞ ¼Xn

i¼1

1pDCSðiÞ

¼ Xs

Xn

i¼1

1

2i�1ðN � iÞ: ð6Þ

Comparing Eqs. (4) and (6), we find that TDCS(n) < TRS(n)when 2 < n 6 16.� Case 2: n > 16. After infecting 16 hosts, the /16 DCS worm

will hit the /16 subnet that contains all vulnerable hostsand will scan this subnet uniformly without furtherdivide and conquer. Since each scan from newly infectedhosts would hit a vulnerable host, the scanning methodbecomes hitlist scanning [19], which obviously spreads aworm far faster than RS.

Combining the two cases, we conclude that DCS canspread a worm faster than RS. Furthermore, the example

Fig. 2. Illustration of divide-conquer scanning.

shows that DCS could lead a worm to propagate towardsa subnet with many vulnerable hosts.

It has been shown that the real distribution of vulnera-ble hosts is highly uneven [11,12,17,15,2,7,8,21]. To showthis point, we plot the number of Witty-worm victims over/16 subnets in Fig. 3, based on the dataset provided by CAI-DA [30]. In this figure, it can be seen that some /16 subnetscontain much more vulnerable hosts than other subnets.Moreover, only a small number of subnets have a largenumber of targets.

2.3. Stealth

DCS can propagate a worm stealthier than RS and weak-en the performance of detection systems such as networktelescopes. Network telescopes were proposed by CAIDAand monitor a globally routable address space where noactive servers or services resided [28]. Hence, most trafficarriving at network telescopes is unwanted or malicious.CAIDA has used an entire /8 subnet as network telescopesand successfully observed the spreading behaviors of sev-eral large-scale RS Internet worm attacks such as Code-Red [12], Slammer [11], and Witty [17]. The network tele-scopes used by CAIDA, however, may fail to detect thepropagation of DCS worms. Specifically, assume that a sub-net a.b.c.d/k is used as network telescopes and contains novulnerable hosts. Consider a DCS worm that starts from aninfected host. Under the best case, the network telescopescan only observe the scans from k + 1 different infectedhosts that scan a.b.c.d/i where i = 0,1, . . .,k. For example, ifk = 8 as the real network telescopes used by CAIDA, at mostnine infected hosts would be perceived. Since the currentlevel of background noise on network telescopes is high[16], it is very difficult to detect the appearance of wormsbased on the observations of the traffic from such a smallnumber of infected hosts.

DCS can also weaken the performance of some otherdetection mechanisms. For example, the systems proposedin [18,10] make use of destination address dispersion todetect worm appearance. These systems assume that oncea worm is released, the distribution of its destination ad-dresses will be far more even than typical network traffic

Fig. 3. Distribution of Witty-worm victims over /16 subnets.


that usually has significant clustering. A host infected byDCS worms, however, may only scan a small subnet, in-stead of the entire IPv4 address space, and thus lead tothe skew distribution of destination addresses. Therefore,the systems in [18,10] cannot detect DCS worms as easilyas RS worms. To demonstrate this point quantitatively,we consider the sample entropy, which is proposed in[10] to capture the degree of dispersal or concentrationof a distribution. Specifically, the sample entropy is definedas

HðXÞ ¼ �XM

i¼1

ni

S

� �log2

ni

S

� �; ð7Þ

where variable X = {ni, i = 1, 2, . . .,M}, representing that fea-ture i occurs ni times in the samples, and S ¼

PMi¼1ni, repre-

senting the total number of observations. The value of thesample entropy lies in the range of [0, log2M], where ahigher value indicates a higher degree of dispersal or alower concentration of a distribution. For worms, we con-sider the traffic feature of the destination address in a sam-pled data packet. If the detector monitors /8 subnet masksof the destination addresses, M is the number of /8 subnets,i.e., M = 28, and ni is the number of packets of a host to-wards the ith /8 subnet. When RS Internet worms are stud-ied, since RS selects targets randomly in the IPv4 addressspace, the sample entropy of destination addresses of aninfected host is expected to be large and close to log2M = 8,as pointed out by [10]. However, if a vulnerable host is in-fected by a DCS worm and is scanning a /m subnet, wherem P 8, all worm traffic is destined to the same /8 subnet,the sample entropy of destination addresses of malicioustraffic from this host is 0. Hence, DCS worms can betteravoid the detection of the system in [10] than RS worms.

3. Mathematical model

In this section, we extend the analytical active wormpropagation (AAWP) model [5] to characterize the spreadof the original DCS worms (i.e., /32 DCS worms). Our goalof studying the mathematical model is to provide insightson how DCS worms spread over different vulnerable-hostdistributions, especially over the non-uniform distribution.Specifically, we assume that all vulnerable hosts are uni-formly distributed in a /m(m P 0) network. That is, thereis no vulnerable host outside this /m network. Thus, whenm P 1, the uniform distribution in a /m network is indeed anon-uniform vulnerable-host distribution. Moreover,when m is larger, the degree of non-uniformity is greater.We start from a simple case and then study more complexcases.

3.1. Uniform in the IPv4 address space (m = 0)

We first assume that vulnerable hosts are uniformlydistributed in the entire IPv4 address space, which hasbeen studied in [22,26]. Let It be the number of infectedhosts at the discrete time t(t P 0). Assume that the wormstarts from an infected host, i.e., I0 = 1. Since the distribu-tion of vulnerable hosts is uniform, all It infected hostscan be assumed to behave identically, and each of them

uses a scanning rate of s to probe a non-overlapping ad-dress sub-space with the size of X/It. The probability thata vulnerable host is hit by at least one worm scan in a unittime is 1 � [1 � 1/(X/It)]s. Therefore, we can extend theAAWP model to characterize It+1 recursively, i.e.,

Itþ1 ¼ It þ ðN � ItÞ 1� 1� It

X

� �s� �ð8Þ

� It þsX

ItðN � ItÞ; ð9Þ

where X� 1. Note that Eq. (8) is identical to the result in[22]. Eq. (9) implies that when m = 0, the original DCS isequivalent to RS (i.e., /0 DCS) from the perspective of math-ematical modeling.

3.2. Uniform in Half of the IPv4 address space (m = 1)

Next, we consider that all vulnerable hosts are uni-formly distributed in half of the IPv4 address space (i.e.,0.0.0.0/1). That is, the other half of the IPv4 address space(i.e., 128.0.0.0/1) contains no vulnerable host. When1 6 It < 2, the initially infected host scans the entire IPv4address space uniformly, and Eq. (8) still holds. WhenIt P 2, one infected-host scans one half of the IPv4 addressspace that contains no vulnerable host (i.e., 128.0.0.0/1),and other It � 1 infected hosts partition the other half ofthe IPv4 address space into sub-spaces with the equal sizeof X/[2(It � 1)]. Then, the probability that a vulnerable hostis hit by at least one scan in a unit time is 1 � [1 � 2(It � 1)/X]s. Therefore, It+1 can be described as

Itþ1 ¼ It þ ðN � ItÞ 1� 1� 2ðIt � 1ÞX

� �s� ð10Þ

� It þ2sXðIt � 1ÞðN � ItÞ: ð11Þ

Comparing Eq. (11) with Eq. (9), we find that a DCSworm can spread faster under the case when m = 1 thanthe case when m = 0.

3.3. Uniform in a /m network

Finally, we study a more general case in which all vul-nerable hosts are uniformly distributed in a /m (m P 0)network. The following two situations are considered.The first situation is when It < m + 1. Specifically, wheni 6 It < i + 1(i = 1,2, . . .,m), i � 1 infected hosts scan the ad-dress sub-spaces that contain no vulnerable host, whereasother It � (i � 1) infected hosts probe the address sub-space with the size of X/2i�1. Then, the probability that avulnerable host is hit by at least one scan in a unit timeis 1 � [1 � 2i�1(It � i + 1)/X]s. Therefore, It+1 is derived as

Itþ1 ¼ It þ N � Itð Þ 1� 1� 2i�1 It � iþ 1ð ÞX

" #s( )

� It þ2i�1sX

It � iþ 1ð Þ N � Itð Þ: ð12Þ

The second situation is when It P m + 1. In such a situ-ation, m infected hosts scan the sub-spaces containing novulnerable host, whereas other It �m infected hosts parti-


tion the /m subnet into sub-spaces with an equal size of X/[2m(It �m)]. Therefore, the spread of DCS worms can bemodeled as

Itþ1 ¼ It þ ðN � ItÞ 1� 1� 2mðIt �mÞX

� �s( )

� It þ2msXðIt �mÞðN � ItÞ: ð13Þ

Note that Eq. (13) implies that when m = l, the originalDCS is equivalent to /l DCS from the view of modeling. Itcan be seen that when m is larger, i.e., the distribution ofvulnerable hosts is more uneven, the DCS worm can spreadfaster.

Fig. 4 shows the effect of vulnerable-host distributionson the spread of DCS worms by applying the above equa-tions and varying m. Here, a DCS worm starts from an in-fected host (i.e., I0 = 1) and uses the scanning rate of1,200 per second to infect a vulnerable population of 216

(=65,536). When m = 0, i.e., the distribution of vulnerablehosts is uniform, a DCS worm takes 857 s to compromise99% of vulnerable hosts. When m becomes larger, i.e., thedistribution of vulnerable hosts becomes more uneven,the DCS worm spends less time to infect the same numberof hosts. Specifically, when m = 1, 2, 4, 8, and 16, the wormtakes only 466, 271, 125, 79, and 76 s to infect 99% of vul-nerable hosts. Moreover, it is seen that when m P 8, theworm propagates with a similar speed.

4. Simulation study

In this section, we apply simulations to study DCSworms. Although the mathematical model in Section 3provides a direct relationship between the propagationspeed of DCS worms and the distribution of vulnerablehosts under specific cases, simulations on the spread ofDCS worms are still necessary for three reasons:

0 100 200 300 400 500 600 700 800 9000

1

2

3

4

5

6

7x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

m=0 m=1 m=2 m=4 m=8 m=16

Fig. 4. Effect of vulnerable-host distributions on the spread of DCS worms(N = 65,536, s = 1,200/s, and I0 = 1).

� The model in Section 3 is built upon a simplifiedassumption, i.e., infected hosts that scan towards the /m network are assumed to behave identically. But sim-ulations can relax this assumption and provide a morerealistic scenario.� The model only considers the specific cases of vulnera-

ble-host distributions, i.e., uniform in a /m network. Butsimulations can study the arbitrary distributions of vul-nerable hosts.� The model only characterizes the average number of

infected hosts. However, simulations can give both themean and the variation of the number of infected hosts.

In our simulations, a discrete event simulator is used toimitate the propagation of DCS worms. The simulatorimplements each worm scan through a random numbergenerator and runs 100 times with different seeds in eachscenario. Specifically, in each run we record the number ofinfected hosts varying over time. At each time tick, an in-fected host sends out s scans, each of which is generatedby a random number generator for a destination addressin [0,232 � 1]. If the destination address is occupied by anuninfected vulnerable host, the number of infected hostsis increased by 1, and this host starts scanning other tar-gets at the next time tick. Moreover, the partition of scan-ning spaces between the infector and the infectee follows /lDCS. The distribution of vulnerable hosts can be a syntheticone or a real one such as the distribution of Witty-wormvictims. The default parameter setting for the simulatedworm is that the worm starts from 100 initially infectedhosts (i.e., I0 = 100) and uses a scanning rate of 1,200 (i.e.,s = 1,200) to compromise a vulnerable population of65,536 (i.e., N = 216). Each of initially infected hosts scansthe entire IPv4 address space and follows /16 DCS.

4.1. Effect of vulnerable-host distributions

We first study how the distribution of vulnerable-hostsaffects the spread of /16 DCS worms. To reflect the degreeof the unevenness of a distribution, we design the ‘‘nonuni-form-u” (u = 0, 1, . . .,16) distribution as follows: The Inter-net is partitioned into 216 different/16 subnets, which isdenoted as a.b.c.d/16. These 216 subnets are grouped intoa.b.c.d/(16 � u) subnets, each of which has 2u different/16subnets. In each group, the first /16 subnet contains 2u vul-nerable hosts, whereas other /16 subnets have no vulnera-ble host. In this way, the nonuniform-0 distributiondenotes a uniform distribution, whereas the nonuniform-16 distribution reflects an extremely uneven distribution,i.e., all vulnerable hosts concentrate in a /16 subnet. Ahigher value of u gives a more uneven distribution of vul-nerable hosts.

Fig. 5 shows the spread of /16 DCS worms over the non-uniform-u distribution (when u = 0, 4, 8, 12, and 16) andthe distribution of Witty-worm victims [30]. In this figure,the ‘‘5%” curve denotes that a worm propagates no fasterthan this curve in 5 out of 100 simulation runs. The similardefinition applies to the ‘‘25%”, ‘‘50%”, ‘‘75%”, and ‘‘95%”curves. The ‘‘mean” curve is the average over 100 runs. Itcan be seen that when u increases, the DCS worm uses lesstime to compromise all vulnerable hosts. Moreover, the


shape of the worm propagation curve differs significantlyfor different distributions of vulnerable hosts. Specifically,if u = 0,4, and 8, the curve follows the well-known logisticcurve [32]. If u = 12 and 16, however, the majority of thecurve is nearly linear. Specifically, when u = 16, as pointedout by Section 2, after infecting 16 hosts, DCS changes tohitlist scanning, and thus, most vulnerable hosts are in-fected in a very short time. If vulnerable hosts follow thedistribution of Witty-worm victims, the DCS worm cancompromise most vulnerable hosts with a speed similarto the case when u = 8. It is observed, however, that forthe distribution of Witty-worm victims, the worm spreadsmuch faster at the early stage. The propagation rate shar-ply increases and achieves full speed around 50 s. There-fore, a DCS worm can potentially propagate relativelyfast, especially at the early stage, under the realistic distri-bution of vulnerable hosts.

4.2. Effect of worm parameters

Next, we consider how the important parameters affectthe propagation of DCS worms, such as the number of ini-tially infected hosts (i.e., hitlist I0), the scanning rate (i.e., s),and the degree of divide and conquer (i.e., l). Fig. 6 demon-strates the spread of /16 DCS worms when these parame-ters vary. Note that for each scenario, vulnerable hostsfollow the distribution of Witty-worm victims, and thecurve is the ‘‘50%” curve over 100 runs. Specifically,Fig. 6(a) shows the spread of /16 DCS worms with differenthitlist sizes, a vulnerable population of 216, and a scanning

0 100 200 300 400 500 6000

1

2

3

4

5

6

7 x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

5% 25% 50% 75% 95% Mean

(a) nonuniform- (i.e., uniform)

0 100 200 3000

1

2

3

4

5

6

7 x 104

Time (se

Num

ber o

f inf

ecte

d ho

sts

5% 25% 50% 75% 95% Mean

(b) nonuni

0 50 100 150 2000

1

2

3

4

5

6

7 x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

5% 25% 50% 75% 95% Mean

(d) nonuniform-

0 10 20 300

1

2

3

4

5

6

7 x 104

Time (sec

Num

ber o

f inf

ecte

d ho

sts

(e) nonunifo

Fig. 5. Effect of vulnerable-host distributions on the spread o

rate of 1,200. It is seen that the worm propagation speedslightly increases when the hitlist size increases from 50to 200. Fig. 6(b) plots the propagation of /16 DCS wormswith different scanning rates, a vulnerable population of216, and a hitlist size of 100. It is observed that the wormincreases its spreading speed significantly when the scan-ning rate increases from 800 to 2,000. Fig. 6(c) comparesthe spreading speeds of DCS worms with different degreesof divide and conquer, a vulnerable population of 216, a hit-list size of 100, and a scanning rate of 1,200. It is obviousthat when l increases, the DCS worm spreads faster. How-ever, when l P 8, the improvement on the propagationspeed by increasing l becomes marginal.

4.3. Comparison with random scanning

We further compare DCS with RS in Fig. 7. In the figure,the curve shows the mean of 100 runs, whereas the error-bar represents the standard deviation over 100 runs. Here,the worm uses a hitlist size of 100 and a scanning rate of1,200 to compromise a vulnerable population of 216. Twodistributions of vulnerable hosts are applied to /16 DCS:the nonuniform-0 distribution (i.e., uniform distribution)and the distribution of Witty-worm victims. It is seen thatwhen the distribution is uniform, the /16 DCS wormspreads slightly slower than an RS worm at the late stage.This is because for DCS worms, when the infected hosts ina /16 subnet become saturated, the scans from these hostsare unproductive. On the other hand, if vulnerable hostsfollow the Witty-like distribution, /16 DCS spreads a worm

400 500 600cond)

form-

0 50 100 150 200 250 300 350 4000

1

2

3

4

5

6

7 x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

5% 25% 50% 75% 95% Mean

(c) nonuniform-

40 50 60ond)

5% 25% 50% 75% 95% Mean

rm-

0 50 100 150 200 250 300 350 4000

1

2

3

4

5

6

7 x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

5% 25% 50% 75% 95% Mean

(f) witty-worm victims

f /16 DCS worms (N = 65,536, s = 1,200/s, and I0 = 100).

0 50 100 150 200 250 300 350 4000

1

2

3

4

5

6

7x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

I0 = 50 I0 = 100 I0 = 150 I0 = 200

(a) Hitlist

0 50 100 150 200 250 300 350 4000

1

2

3

4

5

6

7 x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

s = 800s = 1200s = 1600s = 2000

(b) Scanning rate

0 50 100 150 200 250 300 350 400

0

1

2

3

4

5

6

7

8 x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

l = 1l = 2 l = 4l = 6l = 8l = 12l = 16

(c) Degree of divide and conquer

Fig. 6. Effect of parameters on the spread of DCS worms (N = 65,536 and Witty-like distribution).

0 100 200 300 400 500 6000

1

2

3

4

5

6

7

8

9x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

RS /16 DCS with nonuniform−0 /16 DCS with Witty−like distribution

Fig. 7. Comparison between RS and /16 DCS (N = 65,536, s = 1,200/s, andI0 = 100).


much faster than RS. Specifically, RS uses 478 s to infect90% of vulnerable hosts, whereas /16 DCS takes only 299 s.

Fig. 8. Scanning space state transition (1 6 k 6 l).

4.4. Variant DCS worms

It has been observed that if an infected host is scanninga subnet in which all vulnerable hosts have been infected,this host cannot recruit any new target. As a result, thepropagation speed of /16 DCS worms slows down at thelate stage. To accelerate the late-stage performance, a var-iant DCS worm is designed that can adapt scanning spacesaccording to the density of uninfected vulnerable hosts inthe scanning space. Specifically, we enhance a /l DCS wormby adding the following algorithm:

� If an infected host is scanning subnet a.b.c.d/k(1 6 k 6 l)and hits another host that is already infected, this hostchanges its scanning space to a.b.c.d/k � 1. This proce-dure continues recursively until the host scans theentire IPv4 address space, i.e., k = 0.

We call this variant as /l ping-pong divide-conquer scan-ning (/l PPDCS). The state transition of scanning spaces of /l

PPDCS is shown in Fig. 8. The basic idea is that when an in-fected-host probes a host that has been already infected, itrealizes that infected hosts in its scanning space have prob-ably become saturated and would had better switch toscanning a larger address space.

We modify the simulator of DCS worms to implementthe simulation of PPDCS worms. In Fig. 9, we comparethe propagation speed of /16 DCS worms with that of /16PPDCS worms. As in the previous experiments, a wormuses a hitlist size of 100 and a scanning rate of 1,200 to in-fect a vulnerable population of 216. The distribution of vul-nerable hosts is either uniform among /16 subnets (i.e.,nonuniform-0) or highly uneven (i.e., Witty-like distribu-tion). In the figure, the curve is the average of 100 runs,whereas the error-bar shows the standard deviation. Itcan be seen that when the vulnerable-host distribution isuniform, the propagation speed of the /16 PPDCS worm isalmost identical to that of the /16 DCS worm. However,when the distribution follows the Witty-like distribution,the /16 PPDCS worm spreads faster than the /16 DCSworm. Specifically, the /16 DCS worm uses 299 s to infect90% of vulnerable hosts, whereas the /16 PPDCS wormtakes only 219 s. Therefore, the DCS variant (i.e., PPDCS)can potentially further enhance the infection ability ofDCS worms.

5. Countermeasures

How can we defend against DCS worms? In this section,according to the characteristics of DCS worms, we studytwo countermeasures: infected-host removal and activehoneynets.

0 100 200 300 400 500 6000

1

2

3

4

5

6

7

8

9

10x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

/16 DCS with nonuniform−0 /16 PPDCS with nonuniform−0 /16 DCS with Witty−like distribution /16 PPDCS with Witty−like distribution

Fig. 9. Variant DCS worms (N = 65,536, s = 1,200/s, and I0 = 100).


5.1. Infected-host removal

A DCS worm assigns different address sub-spaces to dif-ferent infected hosts so that the worm can spread effi-ciently and stealthily. The assignment of address sub-spaces leads to the fact that the failures of infected hostsat the early stage make the worm miss scanning a certainrange of IP addresses [22]. Comparatively, an RS worm canstill recruit all targets under the condition that most, butnot all, infected hosts fail at the early stage. Therefore, RSis regarded as a robust scanning method, whereas DCS isnot. That is, DCS is vulnerable to nodal failures or removalat the early stage.

Hence, we consider a simple countermeasure as fol-lows: once the appearance of DCS worms is detected, re-move part of infected hosts immediately. Specifically, westudy three different removing strategies:

� Random: remove infected hosts randomly.� Space: remove infected hosts that scan the largest

address sub-spaces.� Targeted: remove infected hosts that scan address sub-

spaces containing the largest number of vulnerablehosts.

A key question of applying infected-host removal strat-egies is how to detect infected hosts. There are differentways to detect an infected host, such as intrusion detectionsystems and honeynets. Specifically, an infected host thatis scanning the IPv4 address space can be detected by sys-tems proposed in [18,10], whereas a compromised com-puter sending many scans in a short time can be alarmedby the virus throttling tool [20]. Moreover, a host scanninghoneynets with worm features (e.g., a specific port numberor a vulnerability exploited) is susceptible to be infected bythe worm [14].

Fig. 10(a) shows the effect of removing part of the in-fected hosts at the early stage using random, space, and tar-geted strategies. Specifically, the /16 DCS worm attacks avulnerable population of 65,536, starting from an infected

host (i.e., I0 = 1). The distribution of vulnerable hosts is theWitty-like distribution. We assume that at time t1 when100 hosts are compromised (i.e., It1 = 100), the worm is de-tected, and then 10%, 20%, and 50% of infected hosts are re-moved. We calculate the percentage of vulnerable hoststhat can be infected eventually, i.e., the final infection per-centage. For all strategies, we simulate DCS worm propaga-tion over 100 runs with different seeds. Moreover, for eachindividual DCS worm spread under the countermeasure ofthe random removal strategy, we simulate randomlyremoving nodes for 100 independent runs. The bar line inthe figure is the average over all runs, whereas the error-bar represents the standard deviation. It is seen that if therandom strategy is used, the percentage of vulnerable hoststhat cannot be infected eventually is roughly the same asthe percentage of infected hosts removed at time t1. There-fore, even a simple removing strategy has a significant effecton DCS worms. More advanced strategies (i.e., space andtargeted) have a more significant influence on protectingvulnerable hosts. For example, when 10% infected hostsare removed at time t1, space and targeted strategies can re-duce the final infection percentage to 29.58% and 15.85%,respectively. When the percentage of removed infectedhosts increases to 50%, space and targeted strategies furtherreduce the final infection percentage to 3.78% and 6.32%,respectively. Fig. 10(a) also shows that the targeted strategyis not always better than the space strategy. This is becausewe study a /16 DCS worm, instead of the original DCS worm.Once the worm hits a /16 subnet, it will not further dividethe /16 subnet. Thus, some infected hosts may scan thesame /16 subnet simultaneously. Moreover, the infectedhosts at time t1 tend to concentrate in /16 subnets contain-ing many vulnerable hosts. As a result, to protect the vulner-able hosts in a dense /16 subnet, all infected hosts that scanthis subnet have to be removed. The targeted strategy, how-ever, may not fulfill such a task in some cases.

On the other hand, attackers can strengthen DCS wormsby adding scanning redundancy to avoid the issue of thesingle-point failure. For example, instead of starting fromone infected host, the worm can spread from multiple ini-tially infected hosts that all scan the entire IPv4 addressspace. Fig. 10(b) shows the final infection percentage underthe countermeasures of random, space, and targeted strat-egies when I0 = 10. Except the size of the hitlist, otherparameters in Fig. 10(b) are the same as those inFig. 10(a). It can be seen that after increasing the size ofthe hitlist to 10, the DCS worm is very robust against therandom strategy. Even when 50% of nodes are removedat time t1, 99.95% of vulnerable hosts can still be infected.Moreover, when the percentage of removed nodes at timet1 is no greater than 20%, at least 68% of vulnerable hostscan still be reachable for all strategies. Therefore, byincreasing the size of the hitlist, the robustness of DCSworms can be significantly improved.

It is noted that the infected-host removal countermea-sure requires the knowledge of infected hosts at the earlystage of worm propagation. However, such knowledgemay not be available or be easy to obtain, especially afterthe worm starts spreading for a short time. To better de-fend against DCS worms, we next consider a more realisticstrategy, i.e., active honeynets.

10% 20% 50%0

20%

40%

60%

80%

100%

Percentage of removed infected hosts

Fin

al in

fect

ion

perc

enta

ge

Random Space Targeted

10% 20% 50%0

20%

40%

60%

80%

100%

Percentage of removed infected hosts

Fin

al in

fect

ion

perc

enta

ge

Random Space Targeted

Fig. 10. Effect on /16 DCS worms by removing part of infected hosts at time t1 using different strategies (N = 65,536, It1 = 100, and Witty-like distribution).


5.2. Active honeynets

Honeynets have been widely used in network securityto collect the information of attacks [14,31,1,23]. Specifi-cally, honeynets are a collection of computers that canintentionally be compromised by different attacks, so thatthe attacking packages can be obtained at the target. Activehoneynets actively response to the traffic of attacks, fol-lowing standard Internet protocols and application proto-cols, and thus make the attacking source believe that thetarget has been compromised. However, hosts in honey-nets never send out attacking traffic. Here, we study the ef-fect of active honeynets against DCS worms.

For the honeynet countermeasure, the traditional use ofhoneynets is to detect infected hosts and worm propaga-tion. But in this work, we use honeynets to mislead theinfector to believe that a host in honeynets is a vulnerablehost, and thus infector would assign a scanning space tothe host in honeynets. In this way, vulnerable hosts inthe assigned space can potentially be protected. For exam-ple, a /l DCS worm starts from one initially infected host,and an infected host A is scanning IP address spacea.b.c.d/k(0 6 k < l). If A hits a host in active honeynets andbelieves that it has compromised the target, then A will re-duce its scanning space to scan only a.b.c.d/(k + 1). In thisway, all vulnerable hosts in the address space a.b.c.d/k � a.b.c.d/(k + 1) can be protected from the DCS worm’sattacks.

Based on the location of active honeynets, we can clas-sify them into two types: centralized honeynets that occupycontinuous IP addresses or a sub-network and distributedhoneynets that are scattered across different sub-networks.In this work, we specifically consider centralized and uni-formly distributed honeypots as two extreme cases tostudy the effect of different distributions of honeynetsagainst DCS worms.

5.2.1. Centralized honeynetsWe extend our simulator to mimic the spread of DCS

worms under the defense of centralized honeynets. Thesimulated DCS worm uses 100 initially infected hosts and

a scanning rate of 1,200 to attack a vulnerable populationof 65,536. The vulnerable-host distribution is the Witty-like distribution. Moreover, we assume that subnet10.0.0.0/8 does not contain any vulnerable hosts and cen-tralized honeynets are inside that subnet. Fig. 11 showsthat propagation of /16 DCS worms under the protectionof /16, /12, and /8 centralized honeynets. Similar toFig. 5, Fig. 10 demonstrates ‘‘5%”, ‘‘25%”, ‘‘50%”, ‘‘75%”,‘‘95%”, and ‘‘mean” curves over 100 simulation runs. Forbetter comparison, we use the same axis ranges in all threesub-figures of Fig. 11 and plot the ‘‘50%” curves of wormspread under the defense of centralized honeynets withdifferent sizes in Fig. 12. It can be seen that when the sizeof honeynets is larger, the DCS worm spreads slower, butwith a greater variation. It can also be seen that whenthe size of honeynets is greater than 222, the defense canslow down worm propagation significantly. Especially,Fig. 12 shows that when honeynets use a /8 subnet, thenumber of infected hosts can be greatly reduced from61,801 (without defense) to 555, after the worm spreads400 s.

Does the location of centralized honeynets affect theeffectiveness of the defense? To answer this question, wefurther show the spread of /16 DCS worms when /12 hon-eynets locate at subnet 10.0.0.0, 125.0.0.0, or 255.0.0.0 inFig. 13. Here, we use the same setting as in Fig. 12. Basedon the Witty-worm trace, there are no vulnerable hosts in-side the subnet used by honeynets. In the figure, the curveis the mean over 100 runs, whereas the error-bar showsthe standard deviation of 100 runs. The figure demon-strates that the location of honeynets does indeed affectthe worm spread. It can be seen that when honeynets lo-cate at 255.0.0.0, the worm slows down more at the latestage. This result is related to the Witty-like distributionof vulnerable hosts. The relationship between the locationof centralized honeynets and the distribution of vulnerablehosts is interesting, but is beyond the scope of this paper.

5.2.2. Uniformly distributed honeynetsWe next study the case when the distribution of active

honeynets is uniform across different subnets. Specifically,

0 50 100 150 200 250 300 350 4000

1

2

3

4

5

6

7 x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

5% 25% 50% 75% 95% Mean

(a) /16 centralized honeynets

0 50 100 150 200 250 300 350 4000

1

2

3

4

5

6

7 x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

5% 25% 50% 75% 95% Mean

(b) /12 centralized honeynets

0 50 100 150 200 250 300 350 4000

1

2

3

4

5

6

7 x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

5% 25% 50% 75% 95% Mean

(c) /8 centralized honeynets

Fig. 11. Effect of /16, /12, and /8 centralized honeynets on /16 DCS worms (N = 65,536, s = 1,200/s, I0 = 100, and Witty-like distribution).

0 50 100 150 200 250 300 350 4000

1

2

3

4

5

6

7x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

/16 DCS 10.0.0.0/16 10.0.0.0/12 10.0.0.0/10 10.0.0.0/8

Fig. 12. Effect of the size of centralized honeynets on /16 DCS wormpropagation (N = 65,536, s = 1,200/s, I0 = 100, and Witty-like distribution).

0 50 100 150 200 250 300 350 4000

1

2

3

4

5

6

7x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

10.0.0.0/12 125.0.0.0/12 255.0.0.0/12

Fig. 13. Effect of the location of centralized honeynets on /16 DCS wormpropagation (N = 65,536, s = 1,200/s, I0 = 100, and Witty-like distribution).


we consider /l(l 6 16) uniformly distributed honeynetsthat have totally 232�l IP addresses. The Internet is parti-tioned into 216 subnets, and each subnet contains 216�l

computers that are used by honeynets. We simulate a /16 DCS worm with the same parameters used in Fig. 11and show the propagation of the worm under the protec-

0 50 100 150 200 250 300 350 4000

1

2

3

4

5

6

7 x 104

Time (second)

Num

ber o

f inf

ecte

d ho

sts

5% 25% 50% 75% 95% Mean

(a) /16 uniformly distributed honeynets

0 50 100 150 2000

0.5

1

1.5

2

2.5 x 104

Time (sec

Num

ber o

f inf

ecte

d ho

sts

5% 25% 50% 75% 95% Mean

(b) /12 uniformly dist

Fig. 14. Effect of /16, /12, and /8 uniformly distributed honeynets on /16 DC

tion of /16, /12, and /8 uniformly distributed honeynetsin Fig. 14. Comparing Figs. 11 and 14, we can see that uni-formly distributed honeynets can defend against DCSworms more effectively than centralized honeynets. Forexample, when /8 uniformly distributed honeynets are ap-plied, a /16 DCS worm cannot infect more than 200 hosts

250 300 350 400ond)ributed honeynets

0 50 100 150 200 250 300 350 400

80100120140160180200220240260280300

Time (second)

Num

ber o

f inf

ecte

d ho

sts

5% 25% 50% 75% 95% Mean

(c) /8 uniformly distributed honeynets

S worms (N = 65,536, s = 1,200/s, I0 = 100, and Witty-like distribution).


on average. Therefore, distributed honeynets are effectiveto fight against future DCS worms.

Note that distributed honeynets have not yet imple-mented in the current Internet. The implementation of adistributed-honeynets system requires the collaborationamong different organizations across the entire Internetand effective distributed algorithms on data fusion andprocessing, and thus presents a significant challenge.

6. Conclusions

In this paper, we attempt to better understand the char-acteristics of DCS worms and potential countermeasuresthrough both analysis and simulations. We have shownthat a DCS worm can propagate both faster and stealthierthan a traditional RS worm through examples. We havealso analytically and empirically demonstrated that DCScan spread a worm much faster than RS if the vulnerablehosts follow a non-uniform distribution such as theWitty-like distribution. To defend against DCS worms, wehave studied infected-host removal and active honeynetsmechanisms. The infected-host removal strategy cangreatly reduce the final infection percentage, but requiresthe knowledge of infected hosts at the early stage of wormpropagation. Active honeynets deployment is a more prac-tical method to slow down the spread of DCS worms. Wehave found that uniformly distributed active honeynetscan counteract DCS worms more effectively than central-ized active honeynets, and are potentially powerful againstfuture intelligent worms.

The Internet is moving from IPv4 to IPv6, significantlyincreasing the IP address space. However, if the distribu-tion of vulnerable hosts is still highly uneven in IPv6,DCS worms can be a threat. For example, if most vulnera-ble hosts concentrate in a /32 subnet in IPv6 and the at-tacker knows about this subnet, the DCS worm can startfrom scanning this /32 subnet. Hence, the propagationspeed of DCS worms can be similar to that of DCS wormsin IPv4.

As part of our on-going work, we will study the effect ofmore factors on DCS worms. For example, the communica-tion delay between two hosts is different, depending onwhether or not the target is in the same local network asthe source. In general, the delay between two hosts inthe same local network is shorter. In this work, we donot consider such a delay difference due to the locality be-tween the source and the destination, but simply assumethat the communication delay between any two hosts isequal to one time unit. However, DCS can potentially makeuse of such locality to shorten the communication delayand further reduce the worm propagation speed. For exam-ple, infected host A is scanning subnet a.b.c.d/23 and hitsvulnerable host B. When the scanning space is divided be-tween A and B, the scanning space that B resides in is as-signed to B. For instance, if B is in subnet a.b.c.d/24, Bwill be assigned with scanning space a.b.c.d/24. In thisway, the hosts in B’s scanning space are most likely B’s lo-cal neighbors, and hence the communication delay be-tween B and its targets can be shortened. Moreover, weplan to study future intelligent worms that exploit all three

parameters (i.e., scanning rate, scanning probability, andscanning space) in an optimal way.

References

[1] M. Bailey, E. Cooke, F. Jahanian, J. Nazario, D. Watson, The internetmotion sensor: a distributed blackhole monitoring system, in:Network and Distributed System Security Symposium (NDSS’05),2005.

[2] P. Barford, R. Nowak, R. Willett, V. Yegneswaran, Toward a model forsources of Internet background radiation, in: Proceedings of thePassive and Active Measurement Conference (PAM’06), 2006.

[3] Z. Chen, C. Chen, C. Ji, Understanding localized-scanning worms, in:Proceedings of 26th IEEE International Performance Computing andCommunications Conference (IPCCC’07), New Orleans, LA, 2007, pp.186–193.

[4] Y. Li, Z. Chen, C. Chen, Understanding divide-conquer-scanningworms, in: Proceedings of the 27th IEEE International PerformanceComputing and Communications Conference (IPCCC’08), Austin, TX,2008.

[5] Z. Chen, L. Gao, K. Kwiat, Modeling the spread of active worms, in:Proceedings of INFOCOM’03, vol. 3, San Francisco, CA, 2003, pp.1890–1900.

[6] Z. Chen, C. Ji, Optimal worm-scanning method using vulnerable-hostdistributions, International Journal of Security and Networks: SpecialIssue on Computer and Network Security 2 (1/2) (2007).

[7] Z. Chen, C. Ji, An information-theoretic view of network-awaremalware attacks, IEEE Transactions on Information Forensics andSecurity 4 (3) (2009) 530–541.

[8] Z. Chen, C. Ji, P. Barford, Spatial-temporal characteristics of Internetmalicious sources, in: Proceedings of INFOCOM’08 Mini-Conference,Phoenix, AZ, 2008.

[9] T.H. Cormen, C.E. Leiserson, R.L. Rivest, C. Stein, Introduction toAlgorithms, The MIT Press, McGraw-Hill, 2002.

[10] A. Lakhina, M. Crovella, C. Diot, Mining anomalies using trafficfeature distributions, in: Proceedings of ACM SIGCOMM’05,Philadelphia, PA, 2005.

[11] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver,Inside the Slammer worm, IEEE Security and Privacy 1 (4) (2003)33–39.

[12] D. Moore, C. Shannon, J. Brown, Code-Red: a case study on the spreadand victims of an Internet worm, in: ACM SIGCOMM/USENIXInternet Measurement Workshop, Marseille, France, 2002.

[13] P. Porras, H. Saidi, V. Yegneswaran, A Multi-Perspective Analysis ofthe Storm (Peacomm) Worm, SRI Technical Report, 2007.

[14] H. Project, Know Your Enemy: Learning About Security Threats,Pearson Education, 2004.

[15] M.A. Rajab, F. Monrose, A. Terzis, On the effectiveness of distributedworm monitoring, in: Proceedings of the 14th USENIX SecuritySymposium (Security’05), Baltimore, MD, 2005, pp. 225–237.

[16] D.W. Richardson, S.D. Gribble, E.D. Lazowska, The limits of globalscanning worm detectors in the presence of background noise, in:Proceedings of ACM Workshop on Rapid Malcode (WORM’05),Fairfax, VA, 2005, pp. 60–70.

[17] C. Shannon, D. Moore, The spread of the Witty worm, IEEE Securityand Privacy 2 (4) (2004) 46–50.

[18] S. Singh, C. Estan, G. Varghese, S. Savage, Automated wormfingerprinting, in: Proceedings of the 6th ACM/USENIX Symposiumon Operating System Design and Implementation (OSDI’04), SanFrancisco, CA, 2004, pp. 45–60.

[19] S. Staniford, V. Paxson, N. Weaver, How to Own the Internet in yourspare time, in: Proceedings of the 11th USENIX Security Symposium(Security’02), San Francisco, CA, 2002.

[20] J. Twycross, M.M. Williamson, Implementing and testing a virusthrottle, in: Proceedings of the 12th USENIX Security Symposium(Security’03), Washington, DC, 2003, pp. 285–294.

[21] M. Vojnovic, V. Gupta, T. Karagiannis, C. Gkantsidis, Samplingstrategies for epidemic-style information dissemination, in:Proceedings of INFOCOM’08, Phoenix, AZ, 2008.

[22] J. Xia, S. Vangala, J. Wu, L. Gao, K. Kwiat, Effective worm detection forvarious scan techniques, Journal of Computer Security 14 (4) (2006)359–387.

[23] V. Yegneswaran, P. Barford, D. Plonka, On the design and utility ofinternet sinks for network abuse monitoring, in: Symposium onRecent Advances in Intrusion Detection (RAID’04), 2004.

[24] W. Yu, X. Wang, D. Xuan, D. Lee, Effective detection of active smartworms with varying scan rate, in: Proceedings of IEEECommunications Society/CreateNet International Conference on


Security and Privacy in Communication Networks (SecureComm’06),2006.

[25] W. Yu, X. Wang, D. Xuan, W. Zhao, On detecting camouflaging worm,in: Proceedings of Annual Computer Security ApplicationsConference (ACSAC’06), 2006.

[26] C.C. Zou, D. Towsley, W. Gong, On the performance of Internet wormscanning strategies, Elsevier Journal of Performance Evaluation 63(7) (2006) 700–723.

[27] C.C. Zou, D. Towsley, W. Gong, S. Cai, Advanced routing worm and itssecurity challenges, Simulation: Transactions of the Society forModeling and Simulation International 82 (1) (2006) 75–85.

[28] CAIDA, Network Telescope, Available at: <http://www.caida.org/research/security/telescope/>, 2009 (accessed 08.09).

[29] Computing Research Association, Grand Research Challenges inInformation Security and Assurance, Available at: <http://archive.cra.org/Activities/grand.challenges/security/home.html>,2010 (accessed 04.10).

[30] The CAIDA Dataset on the Witty Worm – March 19–24, 2004,Colleen Shannon and David Moore. <http://www.caida.org/data/passive/witty_worm_dataset.xml>. Support for the Witty WormDataset and the UCSD Network Telescope are provided by CiscoSystems, Limelight Networks, the US Department of HomelandSecurity, the National Science Foundation, DARPA, Digital Envoy, andCAIDA Members.

[31] Distributed Intrusion Detection System (DShield). <http://www.dshield.org/>.

[32] Wikipedia, Logistic Function, Available at: http://en.wikipedia.org/wiki/Logistic_function, 2009 (accessed 08.09).

Chao Chen is an assistant professor with theDepartment of Engineering, Indiana Univer-sity – Purdue University Fort Wayne. Shereceived her M.S. and Ph.D. degrees fromGeorgia Institute of Technology in 2003 and2005, respectively. Her current researchinterests include routing in mobile ad hocnetworks and space-based communicationnetworks, modeling and performance evalu-ation of wireless opportunistic networks, andnetwork security.

Zesheng Chen is an associate faculty memberwith the Department of Engineering, IndianaUniversity – Purdue University Fort Wayne.He received his M.S. and Ph.D. degrees fromthe School of Electrical and Computer Engi-neering at the Georgia Institute of Technologyin 2005 and 2007, respectively. His researchinterests include network security and theperformance evaluation of computernetworks.

Yubin Li is a Ph.D. student with the Depart-ment of Software and Information System,University of North Carolina at Charlotte. Shereceived her M.E. degree from the College ofSoftware in Beihang University, Beijing, Chinain 2007 and B.E. degree from the School ofElectronic Engineering at Beihang University,Beijing, China in 2004. Her research interestsinclude assurable and usable security config-uration and network security.

http://www.caida.org/research/security/telescope/

http://www.caida.org/research/security/telescope/

http://archive.cra.org/Activities/grand.challenges/security/home.html

http://archive.cra.org/Activities/grand.challenges/security/home.html

http://www.caida.org/data/passive/witty_worm_dataset.xml

http://www.caida.org/data/passive/witty_worm_dataset.xml

http://www.dshield.org/

http://www.dshield.org/

http://en.wikipedia.org/wiki/Logistic_function

http://en.wikipedia.org/wiki/Logistic_function

Characterizing and defending against divide-conquer-scanning worms

Documents

Transcript of Characterizing and defending against divide-conquer-scanning worms